Privacy Regulations, Data De-Identification, and the Impact on Due Diligence
Privacy Regulations, Data De-Identification, and the Impact on Due Diligence
Data is one of the world’s most valuable commodities, but as the sale and storage of personal data has become big business, privacy regulations have followed suit. These regulations have implications for due diligence practices, as more individuals have the ability to opt out of the retention and distribution of their personal data, and some jurisdictions have opted to begin de-identifying personal information in public records.
The impact of data privacy regulations on due diligence has been particularly evident in the European Union (EU), which implemented the General Data Protection Regulation (GDPR) in 2018. GDPR revolutionized data privacy for EU residents by granting rights to individuals regarding how their personal data is stored, processed, used and shared, as well as by creating the rights to be informed and forgotten. Although implemented by the EU, the impact of GDPR has been global.
GDPR has fundamentally changed how due diligence is conducted and how personally identifiable information (PII) is handled. It has also inspired similar data privacy laws, such as the California Consumer Privacy Act (CCPA) (effective January 2020) and California Privacy Rights Act (CPRA) (effective January 2022 with a one-year lookback) in the United States (U.S.), and the General Data Protection Law (LGPD) (effective February 2020) in Brazil. While these regulations are still in their relative infancy, by comparison, it has been almost three years since the implementation of GDPR, and the efforts of organizations and agencies to comply with the regulations are increasingly being realized. Because of this, it is critical to examine the recent impacts GDPR has had on the due diligence process.
Data privacy legislation continues to expand, and due diligence practices will continue to adapt to the shifting status of personal data, which makes it more important than ever to have reliable in-country resources and knowledge of de-identification in public records.
INCREASED APPLICATION OF DE-IDENTIFICATION IN PUBLIC RECORDS
As organizations seek to comply with GDPR guidelines relating to personal data, two measures have been widely recommended and implemented as a way to present public records without personal identifiers, thus ensuring compliance for data controllers and processors: anonymization and pseudonymization.
Anonymization is the act of completely and irreversibly redacting all PII from a record, so that an individual cannot be identified from the publication. Consider the following example for a court judgment or decision:
The original text reads as follows: Simon Davies, born September 1, 1980, residing at 1234 Apple Lane in Amsterdam, sued his former employer, XYZ Corp., for unpaid wages.
Under anonymization, this text becomes: Plaintiff, born on Date, residing at Address, sued his former Company for unpaid wages.
Pseudonymization appears to be a less extreme redaction measure, but it still strives to achieve personal data protection. In pseudonymization, PII is not fully anonymized, but instead altered to make identification challenging, if not impossible. However, it is important to remember that pseudonymization is reversible. Again, consider the example mentioned above for a court judgment or decision:
Under pseudonymization, this text becomes: A.C., aged 35 – 45, residing in Amsterdam, sued his former Company for unpaid wages.
Both anonymization and pseudonymization are methods for complying with GDPR requirements, and they are being increasingly put to use for compliance purposes. Although GDPR does not apply to anonymized data records, it does apply to pseudonymized records. Simply put and explicitly cited in Recital 26 of the GDPR, “The principles of data protection should therefore not apply to anonymous information.”
While the use of anonymization and pseudonymization of public records is on the rise, it is worth noting that the most significant applications of these methods are being seen in a very targeted dataset, namely with records of criminal history and civil litigation. Although anonymization and pseudonymization are limited in application, it significantly alters the ability to search, obtain and verify criminal history and civil litigation records when conducting international due diligence.
IMPACTS TO THE AVAILABILITY OF CRIMINAL AND CIVIL LITIGATION RECORDS
Information about an individual’s criminal history and civil litigation involvement is vital to identifying potential risks.
With the implementation of increasingly restrictive data privacy regulations, access to criminal history and civil litigation records is becoming more difficult. Even before the implementation of GDPR guidelines, many EU member states and the EU itself had data privacy laws in place. These laws were apparent in efforts to obtain and/or verify a record of criminal clearance. Depending on the member state, there were guidelines for third party due diligence providers to follow in order to obtain or verify a certificate with the issuing authority.
Under GDPR, the rules have now been updated to reflect two burdens: (1) proving the processing is lawful, which is done by proving at least one of six legal bases for processing an individual’s data, the most common of which is freely-given consent; and, (2) official authority to process the data, which is more complex. Simply put, just because you receive written consent, it does not always mean you are in compliance and the official authority will freely share the data.
The most notable evolution is the wide-reaching implementation of anonymization and pseudonymization in civil court judgments and decisions. It appears, depending on the locale, that more authorities have opted to redact personal identifiers in court judgments and decisions altogether to avoid infringing upon an individual’s rights and risking hefty fines. The simple solution here has been to anonymize the data and release the anonymized or pseudonymized form to the public record.
For example, in the Netherlands, GDPR regulations were not a drastic change from the country’s prior regulation, the Dutch Personal Data Protection Act. The country’s judiciary, De Rechtspraak, has worked to improve anonymization in court judgments since the 2000s. Their general principle has been to anonymize any data that identifies a natural person, a natural person at a legal entity or an organized group. The Dutch Judiciary even provides a lengthy breakdown of replacement terms for personal information identifiers, including generic terms for obvious personal identifiers, such as [plaintiff] and [defendant] for litigant names, and [date of birth] or [address] for common identifiers, as well as broader generic terms for information that can be traced to an individual, such as [number or letter sequence] for identification numbers, or [travel route] for immigrants who came to the Netherlands.
It is worth noting that not all European countries are taking to anonymization and pseudonymization. Although the United Kingdom (UK) exited the EU in January 2020, it had already implemented a GDPR-compliant law, the Data Protection Act 2018. This act shares several tenets of GDPR, including an individual’s right to know, right to access, and the right to erase their personal data. As it pertains to court judgments, there is also a constitutional principle of open justice in the UK, and court proceedings occur in an open forum. Therefore, the content of these proceedings, including personal information, is on the public record. The Courts and Tribunals Judiciary of England and Wales has determined that the publication of personal data in orders or judgments is “necessary in the public interest of the administration of justice.” Individuals are welcomed to challenge this determination in individual matters but are advised to seek legal advice.
While measures such as anonymization and pseudonymization have not been uniformly applied across EU states or beyond, there is an increasing application of measures such as these as a means to comply with data privacy regulations and protect PII from open access.
FILLING THE GAPS WITH IN-COUNTRY RESOURCES
Increasing anonymization and pseudonymization of records poses a unique challenge to the traditional due diligence process, which relies on PII contained in public records to connect those records to a person.
Although many countries have constrained the availability of PII in public records, and this trend is likely to continue, the U.S. still has relatively open access to PII. But there is an uncertainty behind every request for due diligence outside of the U.S., which raises the question: Is meaningful due diligence still possible? The response to this is a resounding “yes.” It is not only possible, it is more important than ever before, but it is crucial to know the specific de-identification practices used for public records in each applicable jurisdiction.
As a third-party due diligence firm, BDO has decades of experience providing international due diligence services, with more than 125 global professionals skilled in over 24 languages, and investigative resources and expertise in more than 170 countries. BDO’s greatest advantage when attempting to navigate the changing data privacy landscape is the knowledge of our global network of in-country resources, who have maintained long-standing and trusted relationships with the Investigative Due Diligence practice. Our global member firms and trusted international resources work alongside us, conveying their first-hand knowledge of the anonymization and/or pseudonymization of records, or other similar measures, that are occurring in their country. Together with our global member firms and trusted international resources, we continue to monitor ongoing developments and changes in PII availability in public records and work to find supplementary means of access to the information that was once publicly available.
In some countries, anonymization and/or pseudonymization has either not been implemented or has been minimal to date, and our access to significant information via public records has not been altered. However, in other countries, restrictions in the PII available in public records have been cause for reworking our due diligence methodology. In these jurisdictions, we rely more on reputational source information and media. While the information reported by both of these sources can be subjective in nature, reputational inquiries with local sources and a contextual review of media can often uncover the most significant information and reputational risk factors, while also helping to develop a robust and holistic profile of the subject and often paving the road for further targeted research. We have tested the value of intelligence obtained through these methods, which often yield information regarding reputation, political involvement, known or alleged questionable dealings, affiliations and other invaluable information that can only be obtained via human resources.
Although the sources of information may be shifting in certain jurisdictions due to increasingly restrictive data privacy regulations and measures such as anonymization and/or pseudonymization, there remains significant and meaningful intelligence to be obtained, especially to those who know how to navigate the landscape of public records around the world. In this ever-changing environment, working with a trusted, global third-party due diligence provider is key.